5) Now the decoding. It’s not secured to have decoding at the production server. For decoding you need SSL Key and even it’s secured with the password attacker can use brute force and capture the pass phrase once you will type it.

The decoding must be done at some private server of the customer. If he don’t have any, you just need for him a PHP to run decode.

You can create just simple page where use will put the base64 text from an email and you will decode him the credit card data.

This whole concept is for small businesses where they will proceed the credit card manually.

Good on this solutions is that no attacker can steal your credit card backward or via SQL injection.

Weak point of this whole solution is that that user still enter credit card data to your web pages. If the attacker will take control over your server he can’t steal all the credit card data backward, but he can steal any new credit card data entered. So make sure you run security checks on your server and for example run every hour sha1 sum check on the pages to collect and save the credit card data – if they will be changed, I suggest to delete them and notify your self that server was compromised.